Bug 240848 - Reduce spam value of FreeBSD Bugzilla instance
Summary: Reduce spam value of FreeBSD Bugzilla instance
Status: Open
Alias: None
Product: Services
Classification: Unclassified
Component: Bug Tracker (show other bugs)
Version: unspecified
Hardware: Any Any
: --- Affects Some People
Assignee: Bugmeister
URL:
Keywords:
Depends on: 241124
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-26 17:24 UTC by Conrad Meyer
Modified: 2019-10-08 02:04 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Conrad Meyer freebsd_committer 2019-09-26 17:24:07 UTC
Part of the reason our Bugzilla is a target for spammers is that our links lack any rel="ugc" or rel="nofollow" attribute.  That means they can get some search engine power by spamming their links in comments or any metadata field that renders as a link, such as the "URL" field.

Here's more on rel= ugc/nofollow from Google:
https://support.google.com/webmasters/answer/96569?hl=en

While looking into this, I also noticed that our "URL" fields render with rel="noreferrer", but our comment links do not.  I don't see any great reason to hide our bugzilla as the referrer on either type of link.  I guess the reason is that our "URL" links have target="_blank", which for some convoluted reason presents a security problem.  Again described by Google:

https://developers.google.com/web/tools/lighthouse/audits/noopener

So my tl;dr suggestions, ordered by priority, are:

1. Add rel="ugc" to rendered comment links.
2. Add ugc to the URL field links.  (Can other metadata create links to user-provided URLs?  AFAIK, no.)  That looks like: rel="noreferrer ugc", I believe.

Time permitting:
3. Investigate and replace "noreferrer" with "noopener" in URL links -- I think it serves the same security purpose without breaking the HTTP "referer" header.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2019-09-29 09:12:16 UTC
Nice report Conrad, thank you for the detail

I'll talk to upstream about this. It may be that this has been solved in one capacity or another. Worst case we can submit any improvements we make here upstream, and carry it locally until future release
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2019-09-30 04:32:57 UTC
Given the recentness (Sept 2019) of the nofollow changes (introduction of ugc, sponsored), it may be prudent to consider the first iteration of the improvement proposal to be to blanket use 'nofollow' (without granularity), until the situation settles and we have better indicators of what the implications might be, particularly with regard to a publishers 'explicit' desire to mark untrusted links for the purposes of reducing spam value of a site.

See Also:

https://moz.com/blog/nofollow-sponsored-ugc

Also, given ugc/sponsored can be used in 'addition' to nofollow, we may want to consider 'nofollow ugc' as well.
Comment 3 Conrad Meyer freebsd_committer 2019-09-30 05:28:32 UTC
Sure, "nofollow ugc" is fine, or even just "nofollow".